Bootcamp

Shehzad Mirza Director of Operations [email protected] [email protected] DMARC Reporting & Analysis: What Happens Next 3 DMARC DNS TXT Record

• Basic: Host: _dmarc. Value: v=DMARC1; p=quarantine; rua=mailto:; ruf=mailto:;

• Complex: Host: _dmarc. Value: v=DMARC1; p=none; rua=mailto:; ruf=mailto:; fo=1; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400; sp=reject; 4 Overview

5 1

2 3 4

6

7

5 DMARC Reports

• DMARC generates two types of reports: • Aggregate • Forensic

6 Forensic/Failure Reports (ruf tag) • Number of reports is dependent on amount of email sent • Reports will provide insight as to which messages were marked as suspicious • Concerns with privacy

7 Sample Forensic/Failure Report

8 Aggregate Reports (rua tag) • Reports sent in XML format to email of choice (can be sent to multiple addresses) • Number and length of reports is dependent on amount of email sent • Allows for: • IT staff to correct any issues with valid messages being dropped by the policy • Visibility into which systems are sending email using org’s domain name (authorized and unauthorized sending IP addresses)

9 google.com noreply-dmarc-support@google.com https://support.google.com/a/answer/2466580 6156901232184779430 1466121600 1466207999 globalcyberalliance.org r r Sample

quarantine

quarantine 100 Aggregate 2607:f8b0:4001:c0b::22f Report 2 none pass pass globalcyberalliance.org globalcyberalliance.org pass globalcyberalliance.org pass 10 Aggregate Reports

11 DMARC Pass/Fail

FROM: Domain DKIM DKIM Alignment SPF SPF Alignment DMARC company.com Pass Aligned - company.com Pass Aligned - company.com Pass company.com Pass Unaligned - domain.com Pass Aligned - company.com Pass company.com Pass Aligned - company.com Pass Unaligned - domain.com Pass company.com Fail Unaligned - domain.com Fail Unaligned - domain.com Fail company.com Fail Unaligned - domain.com Pass Aligned - company.com Pass company.com Pass Aligned - company.com Fail Unaligned - domain.com Pass

12 SPF Alignment Pass: From: [email protected] Return-Path: Received-SPF: pass (google.com: domain of [email protected] designates 2607:f8b0:4864:20::d34 as permitted sender) client-ip=2607:f8b0:4864:20::d34;

Fail: From: [email protected] Return-Path: < [email protected] > Received-SPF: pass (google.com: domain of bounce-mc.us15_71628198.660451- [email protected] designates 205.201.133.58 as permitted sender) client-ip=205.201.133.58;

To achieve a passing SPF alignment, the From: header domain must match the domain used to authenticate SPF (e.g., envelope “mail from:” “return-path” domain). 13 SPF Alignment

14 DKIM Alignment Pass: Message Header: From: [email protected] DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=globalcyberalliance.org; s=gca; h=mime-version:references:in-reply- to:from:date:message-id:subject:to :cc;

Fail: Message Header: From: [email protected] DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mail8.mcsignup.com; s=default; h=mime-version:references:in-reply- to:from:date:message-id:subject:to :cc;

15 What to look for

DKIM Issues

DKIM and SPF Issues

16 Possible Spoofing

17 Spoofing?

18 DMARC Service Providers

19 “Free” Options • UK National Cyber Security Centre - https://github.com/ukncsc/mail-check • St. Louis County - https://github.com/wwalker0307/ElasticMARC • Valimail Monitor - https://go.valimail.com/microsoft.html • parsedmarc - https://github.com/domainaware/parsedmarc

• XML to Human Converters (best if small number of reports are received) • Dmarcian - XML Uploader

• DMARC analyzers (limited capabilities) • Postmark - https://dmarc.postmarkapp.com/ • MXTOOLBOX - https://mxtoolbox.com/dmarcsetup

• 3rd Party tools • LinkedIn LaFayette - https://github.com/linkedin/lafayette/ • SendGrid DMARC Parser - https://github.com/thinkingserious/sendgrid-python-dmarc-parser • Yahoo’s DMARC Report Processor - https://github.com/prbinu/dmarc-report-processor • Additional resources are available on DMARC.org’s Code and Library page 20 • By default you can not send reports to external “External domains Destination • To send to external domains, receiving end must Verification” create following in DNS: Name: ._report._dmarc Value: “v=DMARC1;”

• Example: • gotdmarc.com._report._dmarc.gotdmarc.org

21 DMARC Reports and GDPR

• Forensic reports – privacy concern • Failure reports should be redacted • Reports only send to the email addresses defined in the DMARC policy • Provides visibility into all services that are sending email in your name

22 What Next?

• Review Reports • Adjust SPF and DKIM as needed

• Move to Quarantine/Reject • Continue to review reports • Adjust SPF and DKIM as needed when new mail services are added

23 Week 5 Bootcamp Wrap-up & Additional Email Security Protocols June 2nd Additional Resources

• DMARC.org (http://www.dmarc.org) - Great source for DMARC information

• GCA DMARC - https://dmarc.globalcyberalliance.org

• GCA Community forum – https://community.globalcyberalliance.org

• Bootcamp resources: https://dmarc.globalcyberalliance.org/dmarc- bootcamp/

25 Q&A Thank You!

Shehzad Mirza [email protected] [email protected]

Copyright @ 2020 Global Cyber Alliance